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Note: 


This slide deck version is fairly draft material. Please check out 
the following website for the version that is presented: 

http://kyleosborn.com/bh2012 


Further updates to the white paper will be available 
there also. 
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Introductions 


Krzysztof Kotowicz 

IT security consultant at SecuRing 


Kyle Osborn 

Information Security Specialist at AppSec Consulting 
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Chrome Extension Security 


Common web vulnerabilities that effect higher 
privileged applications. 


Cross Site Scripting and Cross Site Request 
Forgery are the most common vulnerabilities in 
extensions. 
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Chrome Extension Security 


Currently, Chrome extension security is very 
reliant on the developer. 


Writing bad code is easy, giving extensions 
more permissions than necessary is easier. 
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Chrome Extension Security 

Most commonly vulnerable: 

RSS Readers 

Note Extensions 

Web Developer extensions 
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Finger Printing 


The simplest method of fingerprinting was described by 
Krzysztof. 

http://blog. kotowicz. net/2012/02/i ntro-to-chrome- 
addons-hacking.html 

Chrome-extension: URIs aren't (currently) restricted 
from a website's DOM 

It is simple to generate a list of known extensionIDs, 
and bruteforce chrome-extension://ID/ resources to 
discovered extensions 


Q 

black h** 

usa sons 



Previous Research 


Kotowicz 

http://blog. kotowicz. net/2012/02/i ntro-to- 
chrome-addons-hacking.html 

UC Berkeley - Extension security evaluation 

http://www.eecs.berkeley.edu/~afelt/extensionvuli 

Hacking Google ChromeOS (BH 2011) 
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Examples/Demos 


Slick RSS & Slick RSS: Feed Finder 
Simple injection location (<link> tag title) 


4- c 


Q https: //s. ko s.io/chrome pIugins.htm I 


B® ©c ☆ 


{ " b ackground_page" : 

"background.html", "contentscripts": [ { 
"js": [ M feed find er.js" ], "matches": [ 
"http://*/*", "https://*/*" ]} ], 
"description": "A companion extension 
for Slick RSS, auto discovers RSS and 


Subscribed to 'My Blog's RSS Feed 


Un-subscribe 
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Examples/Demos 


C Q 


~ Feed 

XV _ , , Manage Refresh Options 

Problems 


Read Later 
Read Later 
Read Later 



The feed selected seems to be invalid. Please check 
the URL. 

Nerdy Details 

The response didn't have a valid responseXML 
property. 
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Examples/Demos 
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Automating Post-exploitation 


Found <script>alert(1)</script> - Now what? 

Use an automated tool to pillage and plunder 

The Browser Exploitation Framework (BeEF) 
does a great job hooking into DOMs 

But - Need a special tool designed to take 
advantage of Chrome Extension APIs. 
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Automating Post-exploitation 

• Enter XSS ChEF 
(Chrome Extension 
Exploitation Framework) 

XSS 

QiEF 

Designed from the ground up as a chrome 
extension exploitation framework. 

Fast (uses WebSockets) 

Preloaded with automated attack scripts 
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Automating Post-exploitation 


Monitor open tabs of victims 

• Execute JS on every tab 

• Extract HTML 
Read/write cookies 
Access localStorage 
Manipulate browser history 
Take screenshots of tabs 



Inject BeEF hooks / keyloggers 
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Hopefully with the information provided, 
exploiting Chrome Extensions can prove to be a 
useful tactic in real life security assessments. 
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